Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/ZscalerThreats.json

15 строки
20 KiB
JSON
Исходник Обычный вид История

add zscaler and insecure and f5
2019-09-15 11:44:16 +03:00
{
"name": "{workbook_name}",
"location": "{workbook_location}",
"tags": null,
"type": "microsoft.insights/workbooks",
"kind": "shared",
"properties": {
"displayName": "{workbook_displayName}",
"version": "1.0",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":\"{\\\"json\\\":\\\"## Zscaler Threats Overview\\\"}\",\"name\":\"text - 0\"},{\"type\":9,\"content\":\"{\\\"version\\\":\\\"KqlParameterItem/1.0\\\",\\\"query\\\":\\\"\\\",\\\"crossComponentResources\\\":[],\\\"parameters\\\":[{\\\"id\\\":\\\"e6ceec81-0d4d-420e-8ed3-062a7eb4129a\\\",\\\"version\\\":\\\"KqlParameterItem/1.0\\\",\\\"name\\\":\\\"TimeRange\\\",\\\"type\\\":4,\\\"isRequired\\\":true,\\\"value\\\":{\\\"durationMs\\\":604800000},\\\"typeSettings\\\":{\\\"selectableValues\\\":[{\\\"durationMs\\\":300000},{\\\"durationMs\\\":900000},{\\\"durationMs\\\":1800000},{\\\"durationMs\\\":3600000},{\\\"durationMs\\\":14400000},{\\\"durationMs\\\":43200000},{\\\"durationMs\\\":86400000},{\\\"durationMs\\\":172800000},{\\\"durationMs\\\":259200000},{\\\"durationMs\\\":604800000},{\\\"durationMs\\\":1209600000},{\\\"durationMs\\\":2419200000},{\\\"durationMs\\\":2592000000},{\\\"durationMs\\\":5184000000},{\\\"durationMs\\\":7776000000}],\\\"allowCustom\\\":true}}],\\\"style\\\":\\\"pills\\\",\\\"queryType\\\":0,\\\"resourceType\\\":\\\"microsoft.operationalinsights/workspaces\\\"}\",\"name\":\"parameters - 1\"},{\"type\":3,\"content\":\"{\\\"version\\\":\\\"KqlItem/1.0\\\",\\\"query\\\":\\\"CommonSecurityLog\\\\r\\\\n| where DeviceVendor == \\\\\\\"Zscaler\\\\\\\"\\\\r\\\\n| where SimplifiedDeviceAction == \\\\\\\"Blocked\\\\\\\"\\\\r\\\\n| where DeviceCustomString5Label == \\\\\\\"threatname\\\\\\\" \\\\r\\\\n| where DeviceCustomString5 != \\\\\\\"None\\\\\\\" \\\\r\\\\n| where DeviceCustomString5 != \\\\\\\"suspiciousfile\\\\\\\" \\\\r\\\\n| summarize Count = count() by ['Threat name'] = DeviceCustomString5, threatname = DeviceCustomString5\\\\r\\\\n| order by Count desc\\\",\\\"size\\\":0,\\\"exportFieldName\\\":\\\"threatname\\\",\\\"exportParameterName\\\":\\\"threatname\\\",\\\"exportDefaultValue\\\":\\\"All\\\",\\\"title\\\":\\\"Blocked threats\\\",\\\"timeContext\\\":{\\\"durationMs\\\":0},\\\"timeContextFromParameter\\\":\\\"TimeRange\\\",\\\"queryType\\\":0,\\\"resourceType\\\":\\\"microsoft.operationalinsights/workspaces\\\",\\\"gridSettings\\\":{\\\"formatters\\\":[{\\\"columnMatch\\\":\\\"Threat name\\\",\\\"formatter\\\":0,\\\"formatOptions\\\":{\\\"showIcon\\\":true}},{\\\"columnMatch\\\":\\\"threatname\\\",\\\"formatter\\\":5,\\\"formatOptions\\\":{\\\"showIcon\\\":true}},{\\\"columnMatch\\\":\\\"Count\\\",\\\"formatter\\\":8,\\\"formatOptions\\\":{\\\"palette\\\":\\\"greenRed\\\",\\\"showIcon\\\":true}}],\\\"filter\\\":true,\\\"labelSettings\\\":[]}}\",\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":\"{\\\"version\\\":\\\"KqlItem/1.0\\\",\\\"query\\\":\\\"CommonSecurityLog\\\\r\\\\n| where DeviceVendor == \\\\\\\"Zscaler\\\\\\\"\\\\r\\\\n| where SimplifiedDeviceAction == \\\\\\\"Blocked\\\\\\\"\\\\r\\\\n| where DeviceCustomString5Label == \\\\\\\"threatname\\\\\\\" \\\\r\\\\n| where DeviceCustomString5 != \\\\\\\"None\\\\\\\" \\\\r\\\\n| where DeviceCustomString5 != \\\\\\\"suspiciousfile\\\\\\\"\\\\r\\\\n| where '{threatname}' == \\\\\\\"All\\\\\\\" or '{threatname}' == DeviceCustomString5 \\\\r\\\\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}), ['Threat name'] = DeviceCustomString5\\\\r\\\\n\\\",\\\"size\\\":0,\\\"title\\\":\\\"Blocked threats over time\\\",\\\"timeContext\\\":{\\\"durationMs\\\":0},\\\"timeContextFromParameter\\\":\\\"TimeRange\\\",\\\"queryType\\\":0,\\\"resourceType\\\":\\\"microsoft.operationalinsights/workspaces\\\",\\\"visualization\\\":\\\"barchart\\\"}\",\"customWidth\":\"70\",\"name\":\"query - 2\"},{\"type\":3,\"content\":\"{\\\"version\\\":\\\"KqlItem/1.0\\\",\\\"query\\\":\\\"CommonSecurityLog\\\\r\\\\n| where DeviceVendor == \\\\\\\"Zscaler\\\\\\\"\\\\r\\\\n| where SimplifiedDeviceAction contains \\\\\\\"Block\\\\\\\"\\\\r\\\\n| where DeviceProduct == \\\\\\\"NSSWeblog\\\\\\\" \\\\r\\\\n| where DeviceCustomString2 != \\\\\\\"\\\\\\\"\\\\r\\\\n| summarize Count = count() by urlcat = DeviceCustomString2\\\\r\\\\n| order by Count desc\\\\r\\\\n\\\",\\
"category": "sentinel",
"isPersisted": true,
"tags": [ "ZscalerThreatsOverviewWorkbook", "1.0" ]
}
}